From ${URL} : Cacti upstream's svn [1] has a fix for CVE-2014-4002. No more technical information is available unfortunately. It might be that also the change before this revision is also involved [2]. [1] http://svn.cacti.net/viewvc?view=rev&revision=7452 [2] http://svn.cacti.net/viewvc?view=rev&revision=7451 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-5026 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5026): Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host Templates Name in a delete action; (6) Data Source Title; (7) Graph Title; or (8) Graph Template Name in a delete or (9) duplicate action. CVE-2014-5025 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5025): Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action. CVE-2014-4002 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4002): Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_templates.php, (6) graph_templates.php, (7) graphs.php, (8) host.php, or (9) host_templates.php or the (10) graph_template_input_id or (11) graph_template_id parameter to graph_templates_inputs.php.
*** Bug 540286 has been marked as a duplicate of this bug. ***
http://www.cacti.net/changelog.php : = 0.8.8c = bug#0002383: Sanitize the step and id variables CVE-2013-5588, CVE-2013-5589 bug#0002405: SQL injection in graph_xport.php bug#0002431: CVE-2014-2326 Unspecified HTML Injection Vulnerability bug#0002432: CVE-2014-2327 Cross Site Request Forgery Vulnerability - Special Thanks to Deutsche Telekom CERT bug#0002433: CVE-2014-2328 Unspecified Remote Command Execution Vulnerability bug#0002453: CVE-2014-4002 Cross-Site Scripting Vulnerability - Special Thanks to G. Geshev (munmap) bug#0002455: Incomplete and incorrect input parsing leads to remote code execution and SQL injection attack scenarios bug#0002456: CVE-2014-5025 / CVE-2014-5026 - Cross-Site Scripting Vulnerability - Special Thanks to Adan Alvarez and Paul Gevers
Fixed in 0.8.8c we have 0.8.8d stable in tree. Added to an existing GLSA Request.
This issue was resolved and addressed in GLSA 201509-03 at https://security.gentoo.org/glsa/201509-03 by GLSA coordinator Kristian Fiskerstrand (K_F).
